Safety By Default

14 August 2014 by Jenn Granger

It’s amazing the difference one little letter can make. For example, changing http to https can mean the difference between security and insecurity, even though it’s a little squiggle up in our address bar that many of us may not even look for when we’re making sensitive transactions. But there’s a movement that’s saying that all sites should use https by default, and here’s why they’re right.

An https server authentication certificate essentially checks that you’re being sent to the right server, rather than a fake, malicious one. More and more companies are turning https on by default as the demands for security and transparency rise and customers become more aware that it’s important, and will take their business elsewhere if they don’t get it; but there are still many sites that are left unprotected. It’s possible that they haven’t adopted it yet because of concerns about how much it slows site performance, but most worries about speed or how it affects SEO have been resolved.

Google may be in the bad books for privacy but in this case it is helping redeem itself, as it’s been saying that all traffic should be https by default. But they aren’t the first to argue the case. In January this year Yahoo made https the default for all its mail, following Google and Microsoft’s change; as of July last year Facebook also made all traffic https by default too (not that this stops them snooping on you instead!) and Mozilla has had Firefox set up this way for the last two years.

The Electronic Frontier Foundation has launched the ‘https everywhere’ initiative with the Tor Project, and is promoting “an extension that allows users to more consistently use HTTPS by forcing always-on HTTPS connections by default on websites that only support the feature on an opt-in basis”. So if https is an option for that site it would automatically protect you. [https://www.eff.org/https-everywhere]

At a recent talk, Google described three layers to online security:

Authentication – are they who they claim to be?

Data integrity – has anyone tampered with it?

Encryption – can anyone see my conversation?

And there are lots of reasons why it might be important. For starters, even if someone can’t snoop on your most sensitive data, what they can piece together from unencrypted sites still paints abig picture of who you are and could affect your privacy. If you have a site, it affects not just you but your traffic too.

Here are some tips from Google on how to get started securing your site:

Decide the kind of certificate you need: single, multi-domain, or wildcard certificate